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Abstract 

This document gives semantics to programs written in a C-like programming language, 
featuring interactions with an external environment with noisy and imprecise data. 

1 Introduction 

The purpose of this report is to define a concrete semantics for a toy imperative language, meant 
& to incorporate the essential features of languages such as C, as used in numerical control programs 

i such as those used in the ANR CPP project. 

Some of the distinctive aspects of these programs are: the prominent use of floating-point 
operations; and the fact that these programs read inputs from sensors. Both these features imply 
that the values of numerical program variables are uncertain. Floating-point operations arc vul- 
nerable to round-off errors, which can be modeled as quantization noise. Uncertainty is probably 
\Q more manifest with sensors, which return values up to some measurement error. This measure- 

ment error can be described by giving guaranteed bounds (this is non- determinism: any value in 
the interval can be the actual value), or by giving a probability distribution (this is randomness: 
y—i some values are more likely than others), or a combination of both. To deal with the latter, more 

complex combinations, we rest on variants of two semantic constructions that were studied by the 
first author, previsions [Gou07] and capacities [GL07]. 

The main goal of a concrete semantics is to serve as a reference. In our case, we wish to be able 
to prove the validity of associated abstract semantics and static analysis algorithms, as presented 
in other CPP deliverables. The kind of abstract semantics we are thinking of was produced, as 
part of CPP, in [BGGP11]. (While it might seem strange that the publication of the abstract 
semantics predates the design of the concrete semantics, one might say that both were developed 
at roughly the same time, with an eye on each other.) So one of our constraints was to ensure 
that our concrete semantics should make it easy to justify the abstract semantics we intend. 

Before we start, we should also mention an important point. Numerical programs manipulate 
floating-point values, which are values from a finite set meant to denote some approximate real 
values. It is customary to think of floating-point values as reals, up to some error. This is why 
we shall define a first semantics, called the real semantics, where variables hold actual reals, and 
no round-off is performed at all. This has well-defined mathematical contents, but is not what 
genuine C programs compute. So we define a second semantics, the floating-point semantics, 
which is meant to faithfully denote what C programs compute, but works on floating-point data, 
mathematically an extremely awkward concept: e.g., floating-point addition is not associative, has 
one absorbing clement (NaN), has no inverse in general (the opposite of infinity inf , — inf , is not an 
inverse since the sum of inf and —inf is NaN, not 0). But the two semantics are related, through 
quantization, which is roughly the process of rounding a real number to the nearest floating-point 
value. 

While the real semantics is much simpler to define than the floating-point semantics without 
random choice or non-determinism (e.g., the semantics of + is merely addition), the situation 
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changes completely in the presence of random or non-deterministic choice. Let us explain this 
briefly. The prevision semantics of the style presented in [Gou07] is based on continuous maps 
and continuous previsions. This is perfectly coherent for ordinary, non-numerical programs (or for 
numerical programs in the floating-point semantics, where the type of floating-point numbers is 
merely yet another finite data type). However, this is completely at odds with the real semantics. 
To give a glimpse of the difficulty, one can define the Heaviside function X[o.+oo) as a numerical 
C program with real semantics, say by if x < then 0.0 else 1.0, and this is definitely not 
continuous. The deep problem is that, up to some inaccuracies, continuous semantics cannot 
describe more than computable operations, but the real semantics must be non-computable: even 
if we restricted ourselves to computable reals, testing whether a computable real is equal to is 
undccidable. 

There are at least two ways to resolve this conundrum. The first one is to cling to the continuous 
semantics of random choice and non-determinism of [Gou07] or [GL07], and work not on reals 
(or tuples of reals, in K™, representing the list of values of all n program variables), but rather 
on a computational model of M. n . The notion of computational model of a topological space 
originates from Lawson [Law97]. For example, the depo of non-empty closed intervals of reals is 
a computational model for R, and the Heaviside map would naturally be modeled as the function 
mapping every negative real to 0, every positive real to 1, and to the interval [0, 1]. This is 
elegant, mathematically well-founded, and would allow us to reuse the continuous constructions of 
[Gou07] or [GL07] . But it falls short of giving an account of real number computation as operating 
on reals. 

We shall explore the second way here: we shall give a real semantics in terms of measurable, 
not continuous, maps. This will give us the required degrees of freedom to define our semantics — 
e.g., the Heaviside map is measurable — while allowing us to define the semantics of random, 
non-deterministic and mixed choice: anticipating slightly on future sections, this involves gener- 
alized forms of integration, which will be well-defined precisely on measurable maps. We develop 
the required theory in sections to come, by analogy with both the classical Lebesgue theory of 
integration and the above cited work on continuous previsions and capacities. 

In the presence of random choice only (no non-determinism) , our semantics will be isomorphic 
to Kozen's semantics of probabilistic programs [Koz81], and his clauses for computing expectations 
backwards will match our prevision-based semantics. The semantics we shall describe in the 
presence of other forms of choice (non-deterministic, mixed) are new. 



Outline. In Section 2, we introduce the syntax of the programs analyzed. In Section 3, we 
define the maps which are used to pass from floating points to real numbers and vice versa. In 
Section 4, we define the concrete semantics of expressions and tests and prove the measurability 
of the semantics. In Section 5, we define our concrete semantics based as a continuation-passing 
semantics. We also prove in Section 5, the link between our semantics and the theory of previsions. 
Finally, in Section 6, we treat separately the semantics of the instructions input. 



2 Syntax 

Let V be a countable set of so-called (program) variables. For each operation op on real numbers, 
we reserve the symbol dp for a syntactic operation meant to implement op (in the real semantics) 
or some approximation of op (in the floating-point semantics). The syntax of a simple imperative 
language working on real/floating-point values is given in Figure 1. This syntax does not include 
any non-deterministic or probabilistic choice construct: uncertainty will be in the initial values of 
the variables, and will not be created by the program while running. 
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expr 


::= a 






X 


xeV 




—expr 






expr+expr 






expr —expr 






expr x expr 






expr /expr 




test 


::= expr<.=expr 
expr<expr 
expr==expr 
exprl =expr 
Hest 




inst 


::= l skip 






i I 

x — expr 


xeV 




£ if test then {inst} else {inst} 






£ while test {inst} 






inst ; inst 





Figure 1: Syntax of Programs 



3 Conversion between Floating Point and Real Numbers 

We shall consider two different semantics in Section 4. The first one implements arithmetic with 
floating-point numbers, while the second one relies on actual real numbers. Here, we describe the 
two types and how we convert between them. 

However, one should first be aware of the pitfalls that are hidden in such a task [Mon08]. 
First and foremost, floating-point numbers are meant to give approximations to real numbers, but 
floating-point computations may give values that are arbitrarily far from the corresponding real 
number computation. Monniaux (op. cit., Section 5) gives the example of the following program: 

double modulo (double x, double mini, double maxi) { 
double delta = maxi-mini; 
double decl = x-mini ; 
double q = decl/delta; 
return x - floor (q) *delta 

} 

int mainO { 

double m = 180 . ; 

double r = modulo (nextaf ter (m, 0. ) , -m, m) ; 

} 

In a semantics working on real numbers, modulo would return the unique number z in the interval 
[mini, maxi) such that x — z is a multiple of the interval length maxi— mini. So, certainly, whatever 
nextaf ter actually computes, r should be in the interval [—180, 180). 

However, running this using IEEE 754 floating-point arithmetic may (and usually will) return 
-180.0000000000000284 for r. (Here we need to say that nextaf ter (m , 0. ) returns the floating- 
point that is maximal among those that are strictly smaller than m. This has no equivalent in the 
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world of real numbers, and accordingly our language does not include this function.) This is only 
logical: 

• When we enter modulo, x is equal to 180 — 2~ 45 ; 

• Then maxi — mini is computed (= 360), and x — mini is computed (= 360 — 2~ 45 ); these 
values are then rounded to the nearest floating-point number, and this is 360 in both cases; 

• so delta, deel are both equal to 360, q equals 1; 

• so modulo returns (the result of rounding applied to) (180-2" 45 ) - (1 x 360) = -180-2" 45 ~ 
-180.0000000000000284. 

Of course, the right result, if computed using real numbers instead of floating-point numbers, 
should be 180 - 2~ 45 ~ 179.9999999999999716. 

This example can be taken as an illustration of the fact that, even though one can think of each 
single operation (addition, product, etc.) as being implemented in floating-point computation as 
though one first computed the exact, real number result first, and then rounded it, hence obtaining 
a best possible approximant, this is no longer true for whole programs. 

Monniaux goes further, and stresses the fact that various choices in compiler options (e.g., 
x87 vs. IEEE 754 arithmetic), IEEE 754 rounding modes, abusive optimization strategies (e.g., 
where the compiler uses the fact that addition is associative, which is wrong in floating-point 
arithmetic, see op. cit., Section 4.3.2), processor-dependent optimization strategies (e.g., see op. 
cit., Section 3.2, about the use of the multiply-and-add assembler instruction on PowerPC micro- 
processors), pragmas (op. cit., Section 4.3.1), all may result in surprising changes in computed 
values. 

This causes difficulties in defining sound semantics for floating-point programs, discussed in 
op. cit., Section 7.3. 

But our purpose is not to verify arbitrary numerical programs, and one can make some sim- 
plifying assumptions: 

1. We assume that floating-point arithmetic is performed using the IEEE 754 standard on 
floating-point values of a standard, fixed size, typically the 64-bit IEEE 754 ("double") 
type. By this, we not only mean that the basic primitives are implemented as the standard 
prescribes, but that all floating-point values are stored in this format, even when stored in 
registers. This is meant to avoid the sundry, dreaded problems mentioned by Monniaux with 
the use of x87 arithmetic (where registers hold 80-bit intermediate values). 

2. We assume that the rounding mode is fixed, once and for all for all programs. In particular, 
calls to functions that change the rounding mode on the fly are prohibited. 

3. We assume that all optimizations related to floating-point computations are turned off. This 
is meant to avoid abusive (unsound) optimizations (e.g., assuming associativity), and also to 
avoid processor-dependent optimizations (e.g., compiling a x x + b using a single multiply- 
and-add instruction: this skips the intermediate rounding that should have occurred when 
computing a x x, and therefore changes the floating-point semantics). 

4. We assume that the only floating-point operations allowed are arithmetic operations (i.e., 
+, — , x, /, but not nextafter for example, or the %f , °/.g and related directives of printf , 
scanf and relatives; nor casts to and from the int type — which we shall actually omit). 
Library functions such as sin, cos, exp, log would be allowable in principle, and their 
semantics would follow the same ideas as presented below — provided we make sure that 
their implementations produce results that are correct in the ulp as well (i.e., that they are 
computed as though the exact result was computed, then rounded; the ulp, a.k.a., the unit 
in the last place, is the least significant bit of the mantissa). 
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These assumptions allow us to simplify our semantics considerably. 

Let us go on with the actual data types of floating-point, resp. real numbers. The IEEE 
754 standard specifies that, in addition to values representing real numbers, floating-point values 
include values denoting +00 (which we write inf ), —00 (— inf), and silent errors (NaN, for "not a 
number"). One can obtain the first two through arithmetic overflow, e.g., by computing 1.0/0.0 
or —1.0/0.0, and NaNs, e.g., by computing inf — inf. Under Assumption (4) above, there will be 
no way of distinguishing any such values through the execution of expressions. We abstract them 
all into a unique symbol err (error). 

An added benefit of this abstraction is that it dispenses us from considering the difference 
between the two zeroes, +0.0 and —0.0, of IEEE 754 arithmetic. These are meant to satisfy 
1.0/inf = +0.0, 1.0/ — inf = —0.0, but are otherwise equal, in the sense that the equality 
predicate applied to +0.0 and —0.0 must return true. Collapsing inf, —inf, and NaN into just one 
value err therefore also allows us to confuse the two zeroes, without harm. This is important if 
we stick to our option that single floating-point operations should computed the exact result then 
round: rounding the real number to the nearest would be a nonsense with two floating-point 
numbers representing 0. 

The error err is absorbing for all standard arithmetic operations. This means that in our 
semantic definitions we assume that the error is propagated during the execution of a program 
which contains these special numbers. Now, we extend by the error symbol err the classical sets 
of floating points and real numbers, which we denote respectively by F and R. This yields two 
new sets: F e = F U {err} and t e = RU {err}. 

Convention 1 

Let r be in R e . Let o be in {+, — , x , /}. Then: 

err o r = r o err = r/0 = —err = err 

We consider floating point as special real numbers. Formally, there is a canonical injection inj 
that lets us to convert a floating-point value (in F e ) into a real number (in R e ): 



inj : F e -> 

/ ^ inj(/) = 



err if / = err 

/ otherwise 



Conversely, there is a projection map proj F : R e — > F e that converts a real number to its 
rounded, floating-point representation, as follows. We let F m ; n be the smallest floating point 
number and F max be the largest. The proj F map is required to satisfy the following properties: 

• if r [F min , F max ], then proj F (r) = err; 

• if r = inj(/) then proj Fe (r) = /. 

We shall also later require proj F to be measurable (see Proposition 1). 

This can be achieved for example by the round-to-nearest function, defined by: 



proj F : R e -> F e 

err if r £ [F min ,F max 

argmin{|,f — r\, f e F} otherwise 



^ proL (r) = 



When argmin{|/ — r|, / e F} contains two elements, the IEEE 754 standard specifies even 
rounding, i.e., we take the value / € F whose ulp (last bit of the mantissa) is 0. 



4 Concrete Semantics of Expressions and Tests 

We now construct two concrete semantics, the first one denoted by |-] r on real numbers, the 
second one denoted by [•]/ on floating-point values. The construction of these semantics is based 
on the two maps inj and proj F defined above. 
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4.1 Concrete Semantics of Expressions 



Every expression will be interpreted in an environment p, which serves to specify the values of 
variables. Simply, p is a map from the set V of variables to M e (in the real number semantics) or 
to F e (in the floating-point semantics). We denote by S/ the set of floating-point environments, 
and by S r the set of real number environments. 

We start with the semantics in the real model. Let p r be in S r . The concrete semantics [expr] r 
of expressions is constructed in the obvious way: 

Hr(Pr) = a 

lxj r (p r ) = p r {x) 

l-ej r (p r ) = -|e] r (p r ) 

[ei-j-e 2 ] r (p r ) = [ei] r (p r ) + [e 2 ] r (p r ) 

[ei-J-e 2 ] r (p r ) = [ei] r (p r ) - [e 2 ] r (p r ) 

[eixe 2 ] r (p r ) = [ei] r (p r ) x [e 2 ] r (p r ) 

[ei/e 2 ]r(Pr) = [ei]r(Pr)/[e 2 ] r (p r ) 

The operations are well-defined by Convention 1. 

Now let us define the floating-point semantics. Let p/ be in £/. The floating-point semantics 
[eccpr]/ of expressions is defined by rounding at the evaluation of each subexpression: 

M/(P/) = proj Fe (a) 

Mf(Pf) = Pii x ) 

l~4 f(Pf) = P r °JF e (- in j([e]/(P/))) 

[ei+e 2 ]/(p/) = proj Fe (inj([ei] / (p / )) + inj([e 2 ]/(p/))) 

[ei-e 2 ]/(p/) = proj^ (inj([ei]/(p/)) - inj([e 2 ]/(p/))) 

[eixe 2 ]/(p/) = proj^ (inj([ei]/(p/)) x inj([e 2 ]/(p/))) 

[ei/e 2 ]/(p/) = proj Fe (inj([e 1 ] / (p / ))/inj([e 2 ] / (p / ))) 



4.2 Concrete Semantics of Tests 

The semantics of tests is a bit subtler. Although one cannot distinguish inf , — inf , NaN using 
expressions only — this justified, at least partly, our decision to abstract them as a single value 
err — one can distinguish them using tests. Experiments with a C compiler (gcc 4.2.1 here) indeed 
show the following behaviors: 



a b 


a==b a\=b a<=b a<b a>=b a>b 


inf inf 
inf —inf 
NaN NaN 


1 10 10 
1 11 
1 



Note for example that an NaN is not considered equal to itself, that a ! =b is the negation of a==b 
but a>b is not the negation of a<=b (e.g., when a = b = NaN). 

There are two ways we can deal with this phenomenon. Either wc abandon the confusion 
of inf, —inf, NaN as the single value err, which will allow us to replay the above behavior 
precisely, but will incur many complications; or we consider that the semantics of tests must be 
non- deterministic: not knowing whether err means inf, —inf, NaN, we are forced to consider 
that err==err is any value in {0, 1}. 

So the semantics of tests will not be a single value, but a set of (Boolean, in {0, 1}) values. One 
may say that our concrete semantics is therefore slightly of an abstract semantics. We count on the 
fact that err abstracts (so-called silent) errors, and should occur rarely in working programs. (We 
are not after detecting subtle errors, but to give reasonable accuracy bounds on actual working 
programs.) 

On the other hand, we do not need to specify which semantics, floating-point or real, is meant: 
both will work in the same way for tests. Let us introduce the new notation [•]*, where ★ is either 
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/ (floating-point) or r (real). We denote by E* the set of environment in this context. Let p* be 
in E*. 



r {1} if IdUp*) + err, [e 2 ]*(p*) ± err, and [ei]*(p*) < [e 2 ]*(p*) 
[ei<=e 2 ]*(/o*) = < {0} if [ei]*(p*) + err, [e 2 ]*(p*) 7^ err, and [ei]*(p*) > [e 2 ]*(p*) 
[ {0,1} if [ei]*(p*) = err or [e 2 ]*(p*) = err 

f {1} if le.jM * err, [e 2 ]*(p*) ^ err, and [ej^p,) < [e 2 ]*(p*) 
[ei<e 2 ]*(/o*) - ^ {0} if [ei]*(p*) ^ err, [e 2 ]*(p*) ^ err, and [ei]*(p*) > [e 2 ]*(p*) 
I {0,1} if [ei]*(p*) = err or [e 2 ]*(p*) = err 

f {1} if [ei]*(p*) ^ err, [e 2 ] *(/»*) ^ err, and [ei]*(p*) = [e 2 ]*(p*) 
[ei==e 2 ]*(p*) = I {0} if [ei]*(p*) ^ err, [e 2 ]*(p*) ^ err, and [ei]*(p*) ^ [e 2 ]*(p*) 
I {0,1} if [ei]*(p*) = err or [e 2 ]*(p*) = err 

f {1} if [ ei ]*(p*) ^ err, [e 2 ]*(p*) ^ err, and [ej^p,) ^ [e 2 ]*(p*) 
[ei! =e 2 ]*(/o*) = {0} if [ei]*(p*) ^ err, [e 2 ]*(p*) ^ err, and [ei]*(/»*) = [e 2 ]*(p*) 
[ {0,1} if |ei]*(p*) = err or [e 2 ]*(p*) = err 

[!t]*(A0 = 

The symbols <, <, >, > in the right-hand sides above are the usual relations on R. So for 
example, the semantics of ei<—e 2 is well-defined because we only ever compare two elements of , 
i.e., two elements of R e other than err. 



4.3 Measurability of Concrete Semantics of Expressions and Tests 

In the definition of the semantics, we will work with Lebesgue integrals, or notions that generalize 
the Lebesgue integral. It is well-known that one cannot posit that every function is integrable 
without causing inconsistencies, and we shall therefore have to check that every function that we 
integrate is measurable. 

Measurability concerns are (mostly) irrelevant in the floating-point semantics, if we remember 
that F, hence F e , is finite, and that every function between finite spaces is measurable. But they 
are definitely important in the real number semantics. 

Measurability is defined relatively to specific cr-algebras. The Borel cr-algebra on R — or, more 
generally, on any topological space — is the smallest cr-algebra that contains all open subsets. 

We extend the topology of R to one on R e by extending the standard metric on R to the 
following: 

!+oo if x = err or y = err and x ^ y 
if x = y = err 

\x-y\ iix,yeR 

The resulting topology has, as opens, all open subsets of R, the singleton {err}, and their unions. 
This makes err an (the unique) isolated point of R e . Note that this topology is not the topology of 
the classical one-point (Alexandroff) compactification of R, in which a basis of open neighborhoods 
of err would be given by the sets (— oo, a) U (6, +oo) U {err}, and err would not be isolated. The 
latter would also be a possible choice, but would induce additional, irrelevant complications. 

The subspace F e has the subspace topology: this is just the discrete topology, since F e is finite. 

We equip E r with the smallest topology that makes each map p i->- p(x) continuous, for each 
x G V. This makes E r isomorphic to Rj with the product topology. 

Similarly, we equip E/ with the subspace topology from E r . This is also the product topology 
on Fg , up to isomorphism. Note that this is not the discrete topology as soon as V is infinite: 
indeed, Fj is compact and infinite in this case, but all compact discrete topological spaces are 
finite. This argument is however uselessly subtle: programs only use finitely many variables 
anyway, and for V finite, E/ has the discrete topology. 

We write 23 (E r ) and 23 (E/) for the cr-algebras of Borel subsets of E r and E/ respectively. By 
standard results in topological measure theory (and crucially using the fact that V is countable), 
these are also the product cr-algebras on the (measure-theoretic) product of V copies of R e , resp. 
F e . (This is because R e , F e are Polish spaces, and the Borel cr-algebra on a countable topological 
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product of Polish spaces coincides with the cr-algebra of the measure-theoretic product of the 
spaces, each with their Borel cr-algebra.) This is a reassuring statement: it states that we can 
harmlessly say "product" without having to say whether this is a topological or measure-theoretic 
product. There is no such trap here. 

A measurable map / : X — > Y is one such that f~ 1 (E) is a Borel subset for every Borel subset 
E; it is equivalent to require that, for every open subset U, f~ (U) is Borel. In particular, every 
continuous map is measurable. When Y is second-countable, i.e., has certain so-called basic opens 
such that every open subset is the union of countably many basic opens, then / is measurable iff 
/"([/) is Borel for every basic open U. We shall use this in proofs; in particular when Y = R e , 
where we can take the intervals with rational endpoints, and {err}, as basic opens. 

One might think that expressions have continuous real semantics, but this is wrong: x/y as a 
function of x, y € K e is not continuous at any point of the form (a;, 0). But they are measurable. 
This would be repaired if we had taken the topology of the 1-point compactification of 1 on l e , 
but we only need measurability. On the other hand, we really need the topological and measure- 
theoretic products to coincide, and while this would also be true with the 1-point compactification, 
the argument would be slightly more complex. 

Proposition 1 (Expressions are Measurable) 

• For every expression e, p i— > |e] r (p) is a measurable function from S r to K e . 

• ifV is finite or proj Fe is measurable, then for every expression e, p i-> [e]/(p) is a measurable 
function from E/ to F e . 

Proof We proceed by induction on expressions. Let a e Q. The function p i->- [a]r(p) is a constant 
function and thus it is continuous, hence measurable. Let x e V. The function p i->- [i] r (p) is the 
coordinate projection on the x coordinate of p and thus it is continuous, hence measurable. The 
case of expressions of the form — e, ei+e 2 , e\— e<i, eixe2 follows by induction hypothesis, using 
the fact that the corresponding operations on M e are continuous. To show this, it suffices to show 
that the inverse image of every basic open subset (i.e., open intervals of K, and {err}) is open in 
S r . For example, the inverse image of an open subset of R by + is an open subset of RxK, hence 
of R e x R e , and the inverse image of the basic open subset {err} is (R e x {err}) U ({err} x R e ), 
hence open. The case of ei/e 2 is slightly different as / is not continuous on I e x l e . But it is 
measurable, as we now show, by showing that the inverse image of any basic open subset is Borel. 
The inverse image of any open interval of R is open, since division is continuous at every point 
(x, y) with y ^ 0. And the inverse image of {err} by / is the union of M e x {err}, of {£} x R e , and 
of R e x {0}. The first two are open hence Borel, while the last one is the countable intersection 

Pi (M e x ( — i — )), hence is Borel. 
11 n n 

n>l 

The second assertion is trivial if V is finite, in which case all involved c-algebras are discrete. In 
the general case, it suffices to observe that inj and proj F are measurable: inj is even continuous, 
since any function from a discrete space is, and the fact that proj F is measurable is our assumption 
Using the fact that the composition of measurable functions is measurable, and using a similar 
induction as above, we conclude. □ 

All natural rounding functions proj F are measurable, so the assumptions we are making in 
Proposition 1 will be satisfied. E.g., 

Lemma 1 

The round-to-nearest map, with even rounding, is measurable from M e to F e . 

Proof Since the Borel cr-algebra on F e is discrete, it is enough to check that the inverse image of 
any single element / e F e is Borel. 

/ + f f + f" 

If / € (F m ; n ,F max ) n F, and if the ulp of / is 0, then this inverse image is [ — - — , — — — ] 
f + f f + f" 

(('- — - — , — — — ) if the ulp of / is not 0), where /' is the largest element of F strictly less than / 
and /" is the smallest element of F strictly larger than /. 
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f + f" f + f" 

If / = F min , then the inverse image of / is [F min , — - — ] (if the ulp of / is 0; [F min , — - — ) 
if the ulp of / is not 0), where /" is the smallest element of F strictly larger than /. 

f + f f + f 

If / = F max , then the inverse image of / is [ — - — , F max ] (if the ulp of / is 0; (— — , F max ] 

if the ulp of / is not 0), where /' is the largest element of F strictly less than /. 

Finally, the inverse image of err is the union of {err}, of (— oo, F m j n ), and of (F max , +oo). 
All these sets are either open, or closed, and in any case Borel. □ 

Tests are interpreted as maps from E* to P*{0, 1}, where P* denotes non-empty powerset, and 
are thus multifunctions. One of the standard notions of measurability for mult if unctions is to say 
that, given topological spaces X and Y, f : X — > ¥*(Y) is measurable if and only if / _1 (0i7) is 
Borel for every open subset U of Y. (§U is the set of subsets that intersect U.) If we understand 
/ as a relation between elements of X and elements of Y, this means that the elements x e X 
that are related to some element of a given open subset U should be Borel. 

Proposition 2 (Tests are Measurable) 

For every test t, p n- |i] r (p) is a measurable function from E r to P*{0, 1}. IfV is finite or proj F 
is measurable, then p i-> [i]/(p) is a measurable function from E/ to P*{0, 1}. 

Proof It suffices to show that the inverse image of 0{0} and of 0{1} are Borel. We proceed by 
induction on t. Let * be either / or r. 

If t is of the form ei<=e 2 , then |t]*(p*) contains if and only if [ei— e2]*(p*) is in {err} U 
(0, +oo) (if * = r; in inj~ ({err} U (0, +oo)) if * = /). The latter is open, and \e\— e^l* is 
measurable by Proposition 1, so p] J T 1 (0{0}) is Borel. Similarly, [t]*(p) contains 1 if and only if 
\e\— e2]*(p) is in {err} U (— oo, 0] (if ★ = r; its inverse image by inj if * = /), which is closed, so 
\t\~ X ((>{1}) is Borel. We proceed similarly if t is of the form ei<e2, e\==e2, or e\\ =C2- 

Finally, if t is of the form \t' , [^(OW) = ^{l}), and [i]- 1 (0{l}) = [t / l; 1 (0{0}) 1 
which allows us to conclude immediately. □ 



5 Weakest Preconditions and Continuation-Passing Style 
Semantics 

The idea of a continuation-passing style (CPS) semantics is that the value v returned by a given 
program is not given explicitly. Rather, one passes a continuation parameter k to the semantics, 
and the latter is defined so that it eventually calls n on the final value v. 

While this seems like a complicated and roundabout way of defining semantics, this is very 
useful. For example, this allows one to give semantics to exceptions, or to various forms of non- 
determinism and probabilistic choice [Gou07]. 

The continuation k itself is a map from the domain of values to some, usually unspecified 
domain of answers Ans. (In [Gou07], Ans was required to be R + .) 

Also, the "final value" of a program should here be understood as the final environment p* 
that represents the state the program is in on termination. So a continuation k will be a map 
from E* to Ans. 

It should also be noted that continuation-passing style semantics are nothing else than a natural 
generalization of Dijkstra's weakest preconditions, or the computation of sets of predecessor states 
in transition systems. This is obtained by taking Ans = {0, 1}. Then the continuations k are 
merely the indicator maps of subsets E of environments (predicates P on environments) , and the 
continuation-passing style denotation of program ir in continuation k is merely the (continuation 
representing) the set of environments p such that evaluating n starting from p may terminate with 
an environment in E (satisfying P). 

Recall that an w-cpo is a poset in which every ascending sequence xq < x\ < . . . < x n < . . . 
has a supremum (a least upper bound). 
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Assumption 1 

We assume that Ans is an uj-cpo with a smallest element _L Ans , and binary suprema. 

t 

We write sup for suprema, and reserve sup for suprema of ascending sequences. Assumption lean 
be stated equivalently as: Ans has all countable suprema (including the supremum _L Ans of the 
empty family). If the language had been deterministic (we fall short of this because of the way 
err is dealt with in tests), we would only need Ans to be an w-cpo, and would not have a need to 
binary suprema. 

The typical example of such a set Ans of answers is K + U {+00}, with its usual ordering. 
As usual, we define the semantics of instructions by recursion on syntax: 

• skip: 

wpf 1 skip,£ 2 ]*(K) = k 



• assignment: 

wpf'a; := e,£ 2 ]*(«0 = fun p^ n{p[x — > [e]*(p)]) 



• sequence: 



tests: 



wp^P; fe g,4]*(«) = wp[ £l P,^]* (wp|[ /a Q,4]*(«)) 



wpfif t then £l P 1 else /o P , &]*(«) = 

fun p^f sup (wpf'P l ,£ 2 h(n)) (p) 
ie [*]*(/>) v ! 



In other words, 

wpfiit then 4 Pi else*°P 0) £ 2 }*{k) = 



fun p 1 ^ < 



wp^p ,^]4 K )) ( P ) 



if W*(P) = {1} 
if M*(P) = {0} 



^ sup ((wp^Pi,^]*^)) (P), (wpf°P ^ 2 ],( K )) (p)) if [t]*(p) - {0,1} 



The definition of the semantics of a loop, of the form ^ while t t2 P uses an auxilary map. We 

denote by F(£*, Ans) the set ((£* — » Ans) — > (£* -4- Ans)) i.e. the set of maps from (£* — > Ans) to 

itself. We equip (£* — >• Ans) with the pointwise ordering. The set F(£*, Ans) is also equipped with 

the pointwise ordering: / < g iff for every k G (£* — > Ans), for every p € £*, /(/t)(p) < g{n){p) 

in Ans. For every countable family (fi) ieI of elements of F(£*, Ans), its supremum sup/i is then 

iei ' 

also computed pointwise: 

sup/i : K ( fun p 1 ^ sup (/»(k)(p)) 

From this latter definition, we get the following lemma. 
Lemma 2 

TTie sei F(£*, Ans) is aco-cpo with binary suprema, and with a smallest element J-f(e*, Ans) defined 
as: 

-Lf(s,,aiis)(k) = funp 1-^ -Una, V k : £* Ans . 
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• loops. Given a test t and an instruction £2 P, t\, let H f i 2pii be the map from F(S*, Ans) to 
F(£*,Ans) denned as follows: 

' (wpf 2 P,^]* (<p(k))) ( P ) if = {1} 

(H t l2pM {y)){„){p)=\ k( P ) if = {0} 

sup((wpf 2 P,4]*K«)))(p),«(p)) if [t]*(p) = {0,l} 

So, for example, wpf if t then £l P 1 elsc £ °P ,4]* - H t ^^(wpf'Po,^]*)- 

The semantics of the loop £l while t 12 P, £3 is the supremum of the sequence J-F(s*.Ans)j 
fl t,*2P,4 J (- L *'(£*,Ans)) ) P t / 2 p A (^/2p A (-LF(S^Ans))), •••in F(£*,Ans), namely: 

Wp^while t^P,4]* = SUp^V (^F(E t> Ans)) 

A more standard definition would have been to let wp[ £l while t^ 2 P, £3]* be defined as the least 
fixpoint of H f g 2pg in F(£*, Ans). We show below that this would be equivalent. The reason is 
that the map H t £ 2pe is w-Scott-continuous, i.e., is monotone and preserves suprema of ascending 
sequences. 

We prove this through two lemmas. The first one shows that H f t 2pti is w-Scott-continuous 

when the maps k wp| £2 P, ^i]*(k) are w-Scott-continuous. This second lemma says that the 
maps k i-> wp[ £2 P, ^i]*(k) are actually w-Scott-continuous. 

Lemma 3 

Let 12 P be an instruction. Let t be a test. Assume that the map 

k i->- wpJ £2 P, is uj- Scott- continuous , (1) 

then: 

• The map H 1 1 2 p e ^ is uj- Scott- continuous. 

• The map sup H™i 2pl is to- Scott- continuous. 

• k 1 y wp[ 1 while t 2 P, ^3] + (k) is lo- Scott- continuous. 

Proof Let us prove the first assertion. Let <p, tp' <G F(£*,Ans) such that <p < tp'. For every 
k : £* 1 \ Ans, for every p such that [i]*(p) = {1}, 

wpi £2 P,4]*(^(«))(p) <^tP,hWW>){p) , 

so: 

h (/2PA MW(p)<^ 2PA (^)(«)(p) • 

Let (<Pn)„ eN be an ascending sequence in F (E*, Ans). We also have: 

wp^P,^]* (sup* (p) = sup^ (wpf 2 P,4]* ( Vn (/s))) (p) . 

When [t]*(p) = {!}, this is equivalent to: 



H t e 2 p, (sup^tpn ) («)(p) = ( SUp^P £ (^„) ) (K 



)(P) 
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When = {0}, we obtain the same equality, where now both sides are the constant n(p). 

When HUp) = {0, 1}, 

H t*iPi, ( su P T( y5n) (k)(p) = sup (sup T (wpf 2 P,4]* ((^„(k))) (p),k(p) 

= sup^ (sup (wp^P,^]* (ip n (K)) (p),K(p))) 

= [sup^H 1 2p Ay n ) ) («)(p) • 

The second assertion follows from the first, from the fact that compositions of w-Scott-continuous 
maps are again w-Scott-continuous (hence H™e 2pe is w-Scott-continuous for every neN), and 

that suprema of w-Scott-continuous are cj-Scott-continuous. 

The last assertion follows trivially from the second one, using the fact that application (of 
maps to J-f(e >1 ,Ans) ) is w-Scott-continuous. □ 

Next, we prove that for every instruction £ P, for every label £' , the map k i-> wpJ £ P, ^']*(k) is 
w-Scott-continuous. 

Lemma 4 (w-Scott-Continuity of wpj-]*) 

For every instruction e P, for every label £' , the map k wpJ^P, is u- Scott- continuous. 

Proof We proceed by induction on the instructions. 

• skip. The instruction skip is the identity map from E* — > Ans to itself, so it is w-Scott- 
continuous. 

• Assignment. Let k, k' be maps from E* to Ans such that n < k'. For every p e E*, 
k(p[x — > [e]*(p)]) < k(p[x — > [e] *(/})]). So wpf 1 ! := e, ^ 2 ]* is a monotonic map. Now, we 
consider an ascending sequence (K n )„ 6 N of maps from E* to Ans. We have: 



and then: 



sup T (/v„) (p[x [e]*(p)]) = sup T (k„(p[x -> [e]*(p)])) 



wpf'i^e,^]* sup T K„) = sup r wpf ^ := e,^]*(«n) • 

,neN / neN 



• Sequence. By induction hypothesis on £l P and ^ 2 Q, the maps k — > wpf'^^litft) and 
k -4- wp[ £2 Q, ^3]*(/c) are w-Scott-continuous. Since the composition of two w-Scott-continuous 
maps is w-Scott-continuous then the sequence k — > wp[ £l P; l2 Q, ^3]*(«) is also w-Scott-continuous. 

• Tests. By induction hypothesis on 1-2 P and the maps k — > wp[ £2 P, £ 4 ]*(k) and k — > 
w pI^ 3 Q) ^4]*( K ) are w-Scott-continuous. Since we consider a pointwise order, it suffices to show 
that for every p e E*, k m> wpj £l if i then f2 P else C:> Q,£ 4^ (k)(p) is w-Scott-continuous (from 
E* i y Ans to Ans). When we fix p e E*, we get three cases whether the test is true, false or true 
and false. In each case, we conclude that wp [ £l if t then £2 P else 4 Q, 41* («) is w-Scott-continuous 
by induction hypothesis. 

• Loops. By induction hypothesis, k — > wp[^ 2 P, ^i]*(/c) is w-Scott-continuous. Lemma 3 
immediately entails that k h->- wp[ 1 while t 2 P, ^ 3 ] + (k) is w-Scott-continuous. □ 

We introduce a parametric version of classical previsions. Since we work with w-cpos, we have 
to consider [0, +oo], we add arithmetics conventions to deal with +oo. 

Convention 2 (Arithmetics in U {+oo}) 

We add the following rules: 

• x (+oo) = (+oo) x = 0; 

• +oo x +oo = +oo; 
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• For all x G [0, +00], x + (+00) = (+00) + x = +00. 

Let X be a topological space. We equip X with its Borel cr-algebra. We denote by M+(X) the 
set of positive measurable functions on X . 

Definition 1 (Parametric prevision) 

Let X be a non-empty set. Let F be a map from M + (X) to itself. The map F is said to be a 
parametric prevision if: 

1. F is positively homogeneous; 

2. F is monotonic; 

Moreover, a parametric prevision is said to be: 

1. (lower) F(f + g) > F(f) + F(g), for all functions f, g G M+(X); 

2. (upper) F(f + g) < F(f) + F{g), for all functions f, g G M+(X); 

3. (linear) F(f + g) = F(f) + F(g), for all functions f,g from M + (X); 

4- (u> -continuous) for all ascending family (f n )neN, -F(sup^ /„) = sup^ F(f n ). 

nGN nGN 

We recall that the set of positive measurable functions is a convex cone stable by countable 
infima and suprema and pointwise limit. The set of positive measurable functions contains constant 
(positive), and continuous functions. 

Proposition 3 

1. The set of upper u- continuous parametric prevision is uo-cpo (equipped with the pointwise 
ordering) with a smallest element (the null pfunctional associates at f G M + (X) the 
positive measurable function g : x — > 0) 

2. The set of upper ^-continuous parametric prevision is stable by binary suprema. 

3. The set of upper ^-continuous parametric prevision is stable by composition. 

Proof 1. The parametric is clearly an upper w-continuous parametric prevision. Since the 
null parametric is the smallest clement of F(X, [0, +00]), it is also the smallest element of 
the set of upper w-continuous parametric previsions. 

Let (F n ) n( - N be an ascending sequence. Since M + (X) is stable by countable suprema, then 
(sVF n )(/) - supT(F„(/)) G M+(X) for all / G M+(X). 

nGN nGN 

Let a > and / G M + (X). The set M + (X) is a cone thus af G M + (X). Since F n are 
positively homogeneous then (sup^ F n )(af) = sup^ (F n (af)) = sup^ aF n (f) and since a > 0, 

nGN nGN nGN 

we conclude that sup^(F n (a/)) = asup^F„(/) and sup^ F n is positively homogeneous. 

nGN nGN nGN 

Let f,g G M+(X) such that f < g, (sup t F„)(/) = sup t F„(/). For all nGN, F n (f) < 

nGN nGN 

F n (g) and we get sup^F„(/) < sup^F„(g) = (siip^ F n )(g) and we conclude that sup^ F n is 

nGN nGN nGN nGN 

monotonic. 

Let f,g G M + (X). For all n G N, we have F n (f + g) < F n (f) + F n (g), taking the suprema 
we get sup T F n (f + g) < sup r (F n (f) + F n (g)) < sup T F n (f) + sup T F n (g) and sup T F n is an 

nGN nGN nGN nGN nGN 

upper parametric prevision. 

Now let (//t)fcGN be an ascending sequence of elements of M + (X). The set M + (X) is stable 
by suprema hence sup^ fk G M + (X). We have sup^ F„(sup^ f k ) = sup^ sup^ F n (f k ) and the 

feGN ' nGN feGN nGN feGN 

suprema commute and then sup^ .F n (sup^ fk) = sup^ sup^ F n (f k ). We conclude that sup^ F n 

nGN feGN feGN nGN nGN 

is w-continuous. 
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2. Let F,G be two upper w-continuous parametric prevision. From the suprcmum stability 
property, sup(F, G)(f) = sup(F(/), G(/)) belongs to M + (X) for all / G M+(X). 

Let a > and / G M + (X) (a/ G M + (X)), since F, G are positively homogeneous then 
sup(F, G)(af) = swp(F(af),G(af)) = sup(aF(f), aG(f)) and since a > 0, we conclude 
that sup(F, G)(af) — asup(F(f),G(f)) = asup(F,G)(f) and sup(F, G) is positively ho- 
mogeneous. 

The supremum of monotonic function is a monotonic function hence sup(F, G) is monotonic. 

Let f,ge M+(X). We have F(f + g) < F(f)+F(g) and G(f + g) < G(f) + G(g), taking the 
supremum we get sup(F, G)(f + g) < sup(F(/) + F(g), G(f) + G(g)) < sup(F(/), G(f)) + 
sup(F(g),G(g)) = sup(F, G)(f) + sup(F, G)(g) and sup(.F, G) is an upper parametric previ- 
sion. 

Now let (fk)kenn be an ascending sequence of elements of M + (X) (and thus sup^ fk G 

feeN 

M+(X). We have sup(F, G)(sup^ f k ) = sup(F(sup^ f k ), G(sup^ f k )) = sup(sup^ F(/ fe ), sup^ G(/ fe )) 

feeN feeN feeN feeN feeN 

and the suprema commute and then sup(F, G)(sup^ fk) = sup^ sup(F, G){f k )- We conclude 

feeN ' feeN 

that sup(.F, G) is w-continuous. 

3. Let F, G be two upper w-continuous parametric prevision. 

Since for all f,g G M+(X), F(f) and G(g) belong to M + {X) then for all h G M+{X), 
F(G(h)) belongs to M+(X). 

Let a > and / G M+(X), since F, G arc positively homogeneous then F o G(af) = 
F(G(af)) — F(aG(f)) = aF o G(f), we conclude that F o G is positively homogeneous. 

The composition of two monotonic maps is also monotonic thus F o G is monotonic. 

Let f,g G M+(X). We have G{f+g) < G(f) + G(g), and since F is monotonic, FoG(f+g) < 
F(G(f) + G(g)) < F o G(f) + F o G(g) and F o G is an upper parametric prevision. 

Now let (/fc)feenn be an ascending sequence in M + (X). We have FoG(sup^ fk) = F(G(sup^ fk)) = 

feeN feeN 

F(sup^ G(fk)) = sup^ F o G(fk) and wc conclude that F o G is w-continuous. 

feeN ' feeN 

The main difference between prevision and parametric prevision is the co-domain. Since the 
domain and the co-domain are the same, we can compose two parametric previsions to construct 
a new one. It allows us to think about least fixed points of parametric previsions. 

Definition 2 (Previsions) 

Let X be a non-empty set. Let F be a map from M + (X) to [0, +oo]. The map F is said to be a 
prevision if: 

1. F is positively homogeneous; 

2. F is monotonic; 
Moreover, a prevision is said to be: 

1. (lower) F(f + g) > F(f) + F(g), for all functions f,g G M + (X); 

2. (upper) F(f + g) < F(f) + F(g), for all functions /, g G M+(X); 

3. (linear) F(f + g) = F(f) + F(g), for all functions f,g G M+(X); 

4- (lo -continuous) for all ascending family (f n )neN G M + (X), F(sup"' f n ) = sup^ F(f n ). 

neN rieN 

The set M+(X) is equipped with the pointwise ordering. The following proposition shows why 
the term parametric appears in Definition 1. The space of parameters is the same of domain of 
the functions of M + (X) i.e. the set X. When we fix a parameter, we get a classical prevision. 
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Proposition 4 (parametric prevision and previsions) 

The parametric F from M+(X) to itself is a parametric (upper, lower ,linear,oj -continuous) prevision 
iff for all x £ X, the map F x from M + (X) to [0, +00] defined as F x (f) = F(f)(x) for all f £ 
M + (X) is a (upper, lower, linear, lo -continuous) classical prevision and the maps x — > F x (h) are 
measurable for all h £ M + (X). 

The nondeterminism due to the tests and the value err implies that we cannot expect linearity. 
Indeed the binary supremum of the sum is not equal to the sum of the suprema, we have only an 
inequality. In the case of Ans = R + U {+00}, we can establish that the weakest preconditions and 
continuation-passing style semantics defines an upper parametric prevision. To prove this result, 
we need a lemma which says that the semantics maps M + (X) to itself. 

Lemma 5 

If k £ M+(E*), then, for all instructions ll P, wpf 1 P, £ 2 ]*( K ) € M+(E*). 

Proof We prove this result by induction on the instructions. 

• Since the skip is the identity map, thus k £ M + (E*) implies that wpj^skipj^/c) also belongs 
to M+(E*). 

• Now, we consider the assignment. We define the map h : E* i-» £* such that at p h 
associates p(y) if y 7^ x and [e]*(p) otherwise. A coordinate of h is either coordinate projection or 
the concrete semantics of an expression which from Proposition 1 is measurable. We conclude that 
h is measurable since it is componentwise measurable. We conclude that wpf 1 ^; := e,£ 2 ]*('«) £ 
M+(£+) (composition of) for all k £ M + (£*). 

• Let k £ M+(E*). The function wpf 1 P; t2 Q, is defined as wpf *P; ^]*(wpf 2 Q, 
Suppose that w P [ £i P,4]*(k') and wpf 2 Q, 4]*(k") belong to M+(£*) for all k',k" £ M+(E*). 
Then k' := wpf 2 Q, ^3]*(/c)) is positive and measurable. We conclude that wpf x P; ^2]*(k') G 
M+(£*). 

• Let k £ M + (E*). We have: 

w P [ £l if t thcn^P dse /s Q,4]*(«) - sup (wpf *P, * 4 ]*(k), wpf 2 Q, * 4 ]*(k)) X{„|M,(,)={o,i}} 

+ W P f 1 P,4]*('0X{p|[t]*(p) = {l}} 

+ wpf 2 Q, 4]*(t)X{p|[t],(p)={0}} 

Suppose that wp[ X P, £ 4 ]*(/t) and wp[ £2 Q, £ 4 ]*(k) arc in M + (E*). From Proposition 2 the 
functions X{p|[t]*(p)=i}, X{p|p]*(p)=o} and X{p|[t]*(p)={o,i}} are positive measurable functions. Since 
M + (E*) is stable by product, sum and binary suprema, thus wpf 1 if t then^ 2 P else^Q, £ 4 ]*(k) £ 
M+(E*). 

• Let k £ M+(E*). We have, from Lemma 3: 

wp^while t^PJsUK) = (lf P (H tl2pl X) («) = fsupt^ 2p (_L p B )) («) 

= SU P ^ fe 2 U F (E t ,I + ))( K )) 

We suppose that wpf 2 P,4]*( K ') e M+(E*) for all k' e M+(E*). Since M+(£*) is an w-cpo the 
smallest of which is the null function. It suffices to show that for all neN, (-^"fe p ( (-'-f(e 4 S + ) )) ( K ) 
belongs to M + (E*). We prove this property by induction on integers. The null function is positive 
and measurable. Now, we suppose that there exists an integer n such that (H™e 2pe (-Lf(e* 1+))) ( K ) 
belongs to M+(£*). We have: 

(^ + 2 1 PA ( ± F(E„I + ))) ( K ) = SU P (wpf 2 P,4]* ((^ t \ PA (^F(E„S + ))) («))»«) X{p|W,(p)={0,l}} 

+ w P f 2 P,4J* ((^> PA a F (E„I + ))) («)) X { p| W ,(p)={l}} 
+KX{p|[t]*(p)={o}} 
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From induction hypothesis (on instructions and integers n), Proposition 2 and stability of prod- 
uct, sum in M + (E*) and binary suprcma, we conclude that ^"^^ (-Lf(e* »+))) ( k ) belongs 
to M+(E*). In conclusion, for all n e N, (H"i 2pe (^f(s,I + ))) ( k ) belongs to M + (E*) and 
wp[ £l while t^P,^h{n) G M+(E*). 

Proposition 5 

When Ans = R + U {+00} and X = E*, /or every instruction l P , for every label £' , wpfP,f] t is 
an upper ui- continuous parametric prevision. 

Proof The fact that for every instruction e P, for every label £' , wp[ £ P, is cj-continuous and 
monotonic follows directly from Lemma 4. The measurability has just been proved in Lemma 5. 
It suffices to show the positive homogeneity and the " upper condition" . We prove it by induction 
on instructions. 

• The identity is clearly a linear w-continuous prevision thus wpj^skip, is an upper para- 
metric prevision. 

• Suppose, we have a map g : E* — > E* and consider a map F from M+(E*) to itself defined 
by F(f) = f o g for all / G M + (E*). The map F is clearly a linear cj-continuous prevision, 
this implies that wpj^a; := e, ^2]* is an upper parametric prevision. 

• By induction hypothesis, the maps wp[ 2 P, £A+ and wp[ £3 <2,f 4 ]* are upper parametric pre- 
visions by Proposition 3 (the third point) wp[ £l P; e2 Q, ^3]* is an upper parametric prevision. 

• We use Proposition 4. For all p such that |i]*(p) = {0}, 

Kh^wp^if t then £2 P else^Q,4]*(/<K/>) = (wpf'Po,^]*^)) (p) 

which is by induction hypothesis a classical upper prevision. For all p such that [f]*(p) = {1}, 
the same argument leads to the result. Now suppose that [i]*(p) = {0, 1}, by Proposition 3 
(the second point), we conclude that k wp[ Mf t thcn f2 P else 3 Q, £4] *(«;)(/}) is, by induc- 
tion hypothesis, a classical upper prevision. The map k 1— > wpj^ 1 if t then^ 2 P else 3 Q, &4]*(k)(p) 
is a classical upper prevision for all peS 4 then wpj £l if t then^ 2 P else^ 3 Q,£t]* is an upper 
parametric prevision. 

• By Proposition 3 (the first point), it suffices to prove that the auxilary map H t ^ 2p ^ 3 (J-F(E*,Ans)) 
is an upper w-continuous parametric prevision. From Lemma 3, H % < 2p< (-Lp(E*,iiis)) i s UJ ~ 
continuous and monotonic. It suffices to show that H % £ 2P£3 (-Lf(e„,aiis)) is positively ho- 
mogeneous and upper. We prove the result by using Proposition 4. Let p € E*. Suppose 
that [i]*(p) = {1}. The result follows from the induction hypothesis. Now suppose that 
|i]*(p) = {0}, H f ^ 2P £ 3 (J-F(E*,Ans)) is the identity and the result follows from the linearity 
of the identity. Finally suppose that [f]*(p) = {0, 1}, the result follows from the stability of 
upper parametric prevision by binary suprema. 

6 Special case of inputs 

In this subsection, we are interested in interaction between the program and an external environ- 
ment. This interaction can be viewed as a sensor which saves data from the external environment 
thanks to a command input. We suppose that these data are at the same time noisy and imprecise. 
Mathematically, it can be modelled by w-capacities. It means that we want to represent for a fixed 
environment p the input as a w-capacity. We assume that only k variables , Xi 2 , . . . , Xi k are 
affected by the input. 
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A w-capacity on a topological space X is a map v : 23 (X) i->- R + such that: 

i/(0) = 0, v{U) > and WU £ B (X) . 



The w-capacity is said to be: 
• monotonic iff V f/, V G 13 (X): 



U £V => v{U) < v{V) ; 



• continuous iff for all nondecreasing sequences {U n ) n eN C 23 (X): 




U t/„ = sup t v{U n ) 



• convex iff for all U, V £ 23 (X): 



u(UUV) + v(Ur\V) > v{U) + v{V) ; 



• concave iff for all U, V £ 23 (X): 



v (U U V) + v (U n V) < v(U) + v{V) ; 



We will use the following result relying convexity and sub (super) linearity of the Choquet integrals. 
Proposition 6 

Let X be a topological space. Let f and g be in M+(A). Let a, j3 two positive reals. 
Let v be a convex to -capacity, then the Choquet integral is superlinear: 



For p £ £*, we suppose that l(x il ,Xi 27 . . . ,Xi k — input{)\ c {p) is a monotonic continuous in- 
capacity v on Vi = {x il ,x i2 , . . . ,x ik }. We denote V_j = {x £ V,x ^ Vj} and we suppose 
that a certain p n : V_j h-> R e (or with value in F e ) is given. We want to extend the w-capacity 
\input\ c {p) to R e (or F e ) with respect to the fact that the unaffected variables are represented 
by a fixed environment po- We extend \input\ c (p) to a w-capacity \input\ c {p) over (~ or 
~ ) as follows: 



for all Borel sets C of £*. This latter definition means that the measure of a Borel set is completely 
determined by its affected part (by the instruction input). 

Assumption 2 

We assume that p h-» \input\ c (p)(U) is measurable for all U £ 23 (£*). 

We define a last semantics which is the integration of "continuation" by a w-capacity. Let 
k:S 4 h M + be a positive measurable function. We define the semantics of the instruction input 
as: 




Let p be a concave ui-capacity, then the Choquet integral is sublinear: 



4 af(x)+ Pg{x)dp<a4 f(x)dp + /34 g(x)dp 




linputUp)(C) = linputUp) {{x £ Kj 



I (x, Pa )£C}) 




p' 
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Proposition 7 

Under the Assumption 2, for all k € M+(£*), the function p ^ wp\input\^{K){p) belongs to 
M+(£*). 

Proof The positivity is clear from the definition of the Choquet integral. We only give a proof 
for the measurability. Let k be a positive measurable function. Then n is the nondecreasing 
supremum of a sequence of positive step functions (<£ n )„ eN and: 

JxeX Jx£X n€N 

From the w-Scott continuity of Choquet integrals, we get: 

U K(p')d\input\ c {p) = sup T U tp n (p')d\input\ c (p) . 
J p'e£* «eN J p'gs, 

The function <p„ have the form a n ~^^XA n with (A™), is a nonincreasing sequence of Borel sets 

i=0 

for all n € N. Thus, we have: 



</ <p„(p')#nfmt] c (p) = a n ^[mput] c (p)(A?) . 
Jp'ex i=0 

Hence, from the Assumption 2, the map p i-> [mpw£] c (p)(^4™) is measurable for all neN, for 
alH e {0, . . . , K n } and then for all n E N, p i-> a„ [mpuf] c (p)(A") is measurable. We conclude 

that the map: p i-> 9 /t(p / )rf[mf)ut] c (p) is measurable since it is the pointwise supremum of 
measurable functions. 
Proposition 8 

// i/ie uj-capacity \input\ c (p) is convex (concave) and ^-continuous then n ^ wp [[input] *(k)(p) 
defines a upper (lower) ^-continuous prevision. 

The proof of this latter proposition is left to the reader. Indeed, from Proposition 6, if the 
capacity is convex (concave) then the Choquet integral is superlinear (sublinear). The proof is 
thus reduced to show that if the capacity \input\ c (p) is convex or concave then the extended 
capacity \input\ c (p) fulfills the same property. 
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